INCIDENCES of cyberattacks on banks, which have grown over the years, more so since the Covid-19 pandemic hit last year, can hurt their creditworthiness — a reality that the financial sector will increasingly have to grapple with going forward, experts say.
To date, there have been only a few cases of credit rating agencies downgrading a bank’s rating as a result of a cybercrime. However, S&P Global Ratings has warned that there will be more rating actions in the future as cyber incidents grow.
“While cyberattacks have had only a limited effect on ratings on financial institutions so far, we expect them to trigger more rating actions in the future as cyber incidents become more frequent and complex,” its credit analyst Irina Velevia says.
She says cyberattacks can harm credit ratings mainly through reputational damage and potential monetary losses.
According to Velevia, the rating impact of a cyber incident would vary depending on its characteristics and scope, as well as the extent of any reputational damage or losses.
“A theft of customer data may have a less material impact compared to a malware attack, for example. The rating impact would depend on how an entity’s credit metrics have changed as a result of the attack, and whether they were strong enough to absorb the losses and damage,” she says in a May 24 report.
One example of a rating impact was back in July 2019 when S&P downgraded Bank of Valetta, one of the oldest banks in Malta, after a cyberattack raised concerns about the robustness of the lender’s operational risk management.
The cyberattack took place on Feb 13 that year. In that incident, the bank, which accounted for almost half of Malta’s banking transactions, had to shut down all of its operations that day after hackers broke into its systems and attempted to shift funds overseas.
More recently, Russia-based securities firm Freedom Finance reported data theft in December 2020 following a successful phishing attempt, which resulted in a data leak that affected 16,000 clients. However, S&P’s ratings on the firm were unaffected owing to the company’s resilient capital and earnings position.
In May 2019, Equifax, a US-based consumer credit reporting agency, became the first company ever to have its credit rating outlook downgraded by Moody’s Investors Service because of cybersecurity concerns. Moody’s slashed Equifax’s outlook to “negative” from “stable”.
The downgrade was significant because it was the first time that cybersecurity was cited as a factor in an outlook change. Moody’s said Equifax’s massive breach of consumer data in 2017 would have a lasting effect on the company’s security spend and infrastructure costs.
More recently, in December 2020, Moody’s put software firm SolarWinds’ credit ratings under review for potential downgrade after the US-based company suffered a cyberattack.
These developments — and the fact that there will likely be more to come — suggest that it is critical for banks to move up cybersecurity in their list of priorities.
According to US-based software company Guidewire, the financial industry — more so than any other industry — suffered the most frequent cyberattacks in the past five years. Its share of total incidences from 2016 to 2020 stood at 26% (see chart on Page 28).
The financial industry is a key target of cybercriminals because banks and other financial institutions store sensitive personal data and possess valuable information regarding financial transactions, explains S&P’s Velevia.
“Increasing digitalisation in the banking system, and accelerated work-from-home arrangements in response to the Covid-19 pandemic, have further exposed the industry to cybercriminal activity by significantly increasing online communication,” she says.
Interestingly, most publicly available cyber incidents at financial institutions are related to data breaches. Nevertheless, the number of ransomware attacks is also on the rise.
“Relatively large financial institutions continue to be the most frequent targets of reported successful attacks. Yet, in our view, no financial institution is immune to damaging cyber events and [those] that do not invest enough in cybersecurity could be attacked frequently and successfully,” Velevia warns.
According to research released by BAE Systems last month, nearly three-quarters (74%) of 902 banks and insurers that were surveyed in the US and the UK have seen a rise in cybercrimes since the Covid-19 pandemic began.
The increase in those crimes has also had a significant monetary impact. It was found that 56% of the financial institutions saw an upsurge in financial losses over the last 12 months — the average cost reaching US$720,000 (about RM3 million) and rising.
Closer to home, there are signs that cybercrimes are growing in Malaysia. There were 10,790 complaints reported to the Malaysia Computer Emergency Response Team (MyCERT) in 2020, up from 10,772 in 2019 and 10,699 in 2018. Fraud made up the bulk of the complaints in each of those years. MyCERT is a department under CyberSecurity Malaysia, the country’s national cybersecurity specialist and technical agency.
Meanwhile, S&P says it generally does not expect the management teams of financial institutions to eradicate cyberattacks.
“However, what is critical to us is the way in which institutions respond,” says Velevia.
“We think it likely that cyber incidents will become more sophisticated, thus making them more difficult to handle. We therefore consider that the expansion of the [institutions’] organisational digital capabilities should be accompanied by strengthening and increasing the cyber defence and cyber risk management culture.
“In particular, we expect organisations will enhance their cyber risk management frameworks,” she adds.